Using Xcode 10...
After Archiving the app and selecting "Distribute App," one can select "Enterprise" to distribute the app to the organization.
The next dialog asks about App Thinning (All compatible device variants is selected) and including a manifest for over-the-air-installation (not checked).
The next dialog allows one to Automatically manage signing.
At that point, a dialog appears that complains about missing the private key for the iOS Enterprise Distribution certificate.
It is generally a bad idea to pass around an original private key. Is it possible to generate a certificate to sign the app with for enterprise distribution that is derived from the original private key, but does not require the original private key to be on the machine? (hopefully that makes sense) If so, how?